How to prevent users from deleting desktop icons using Group policy

Navigation

• Change Log
• Create Group Policy Objects [separate article]
• VDA Group Policy Computer Settings [separate article]
• User Lockdown
  • Start Menu
• File Explorer
• Google Chrome
• Internet Explorer/Edge
  • Internet Explorer Security Zones
  • Internet Explorer Performance
• Folder Redirection
• Microsoft 365 Apps / Office 365 / 2021 / 2019 / 2016
• Adobe Reader / Acrobat Reader DC
• Citrix Files on Citrix Virtual Apps and Desktops [CVAD]
• File Type Association

= Recently Updated

Change Log

• 2021 Sep 16 Office 365 / Office 2021 / Office 2019 Group Policy Templates updated forbuild 5224
• 2021 July 6 disable Office Telemetry
• 2020 Oct 6 Office 2016/365/2019 Group Policy Templates updated forbuild 5077
• 2020 June 12 Microsoft 365 Apps / Office 365 / Office 2019 / Office 2016 Group Policy Templates updated forbuild 5029
• 2020 May 10 Office 2016/365/2019 Group Policy Templates updated forbuild 5011
• 2020 Mar 31 Office 2016/365/2019 Group Policy Templates updated forbuild 4993
• 2020 Feb 29 File Explorer added link to Geir Dybbugt Microsoft Server 2019: No window border/allwhite issue
• 2020 Feb 4 Google Chrome audio issue GPO setting to disable audio sandbox
• 2020 Jan 17 Explorer added link to Winhelponline Removing Quick access from Windows 10 File Explorer [h/t Sean Bolding]
• 2019 Nov 9 Office 2016/365/2019 Group Policy Templates updated forbuild 4936
• 2019 Oct 19 Lockdown added link to CTP Dave Brett Secure Local Drive Access On Your EUC Endpoints
• 2019 Sep 27 Office 2016/365/2019 Group Policy Templates updated forbuild 4924
• 2019 Sep 27 Chrome 77 Audio Issue info from CTX261992 Citrix Virtual Apps and Desktops: No Audio on Google Chrome version 77.x inside ICA session. Also added CTP James Kindon Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments.
• 2019 Sep 27 Office 2016/365/2019 Group Policy Templates updated forbuild 4918
• 2019 Aug 29 Office 2016/365/2019 Group Policy Templates updated forbuild 4903
• 2019 Jul 18 Start Menu added link to Kasper Johansen The Windows Server 2019 Start Menu Is Playing Nice
• 2019 Jul 15 Citrix Files added link toCitrix Files Deployment Guide with Citrix Virtual Apps and Desktops Service at Citrix Docs

User Lockdown

The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non-Admin Users GPO. All settings are located at User Configuration > Policies.

This pageassumes the GPOs have already been createdand Loopback Processing has already been enabled.

Some of the settings in this section might require the newer Windows Group Policy Templates.

Control Panel GPO Settings

• User Configuration | Policies |Administrative Templates | Control Panel
  • Always open All Control Panel Items when opening Control Panel = enabled
  • Show only specified Control Panel items = enabled, canonical names =
    • Microsoft.RegionAndLanguage
    • Microsoft.NotificationAreaIcons
    • MLCFG32.CPL
    • Microsoft.Personalization
    • Microsoft.Mouse
    • Microsoft.DevicesAndPrinters
    • Microsoft.System [lets users see the computer name]
• User Configuration | Policies | Administrative Templates | Control Panel | Programs
  • Hide the Programs Control Panel = enabled

Settings Page Visibility

The September 2018 patches for Windows 2016 and Windows 10 add control of Settings Page Visibility in both the Computer half of the GPO [applies to all users], and now in the User half of the GPO [can apply to non-admin users].

1. Make sure the Windows 10 and Windows 2016 VDAs are patched to at least the September 2018 Cumulative Update.
   • For Windows 2016,winver should showOS Build 14393.2515 or higher.
     
   • For Windows 10 1803,winver should show OS Build 17134.320 or higher.
     
2. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and find the fileControlPanel.admx. If it is not dated August 30 or later, then youll need to copy the updated version.
   
   1. On one of these newer VDAs, go toC:\Windows\PolicyDefinitions and copy the fileControlPanel.admx. The September 2018 patch updated this file.
      
   2. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the .admx file. Overwrite the existing file.
      
   3. On one of these newer VDAs, go toC:\Windows\PolicyDefinitions\en-US and copy the fileControlPanel.adml.
      
   4. Go to your \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions\en-US and paste the .adml file. Overwrite the existing file.
      
3. Edit the Non-Admin Users GPO.
   
4. Go toUser Configuration | Policies | Administrative Templates |Control Panel.
5. On the right isSettings Page Visibility.
   
6. WinaeroHow To Hide Settings Pages in Windows 10 describes this new setting. Also see TechNetHiding pages in Settings with Windows 10 1703. A sample configuration is:showonly:printers;colors. According toServer 2016 & PC Settings/Immersive Control Panel at Citrix Discussions, the maximum length for this field is 255 characters.
   
7. When the non-admin user logs into a Windows 10 or Windows Server 2016 VDA that has the September update installed, the Settings pages are restricted based on the GPO configuration. Since this GPO setting is in the user half of the Non-admin users GPO, admins can still see all Settings pages.
   

Desktop GPO Settings

• User Configuration | Policies | Administrative Templates | Desktop
  • Hide Network Locations icon on desktop = enabled
  • Prohibit user from manually redirecting Profile Folders = enabled
    • Leandro Gonçalves in Twitter says that this setting prevents Citrix Studio UPM Policies from redirecting profile folders. Shouldnt be a problem if using Microsoft GPO to perform Folder Redirection instead of Citrix Studio.
    • Also see CTX250046 Folder Redirection is not working via Studio policies when using Citrix Profile Management.
  • Remove Properties from the Computer icon context menu = enabled
  • Remove Properties from the Recycle Bin icon context menu = enabled

If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to.

On Windows Server 2016, screen saver idle time does not work.Arjan Mensch developed a tool to lock the screen after a period of idle time. Launch the tool from a Group Policy login script. Download the tool fromEnforcing lock screen after idle time Windows Server 2016 RDS Session Host.

Start Menu and Taskbar GPO Settings

• User Configuration | Policies | Administrative Templates | Start Menu and Taskbar
  • Clear the recent programs list for new users = enabled
  • Do not allow pinning Store app to the taskbar = enabled
  • Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled
    • In Windows 10 1709, if you want to remove the Power Button, in the VDA, setHKLM\Software\Microsoft\PolicyManager\current\device\Start\HidePowerButton [DWORD] = 1. Source =Power Button Windows 10 VDI at Citrix Discussions.
      
  • Remove common program groups from Start Menu = enabled [only if you have some other means for putting shortcuts back on the users Start Menu/Desktop.Also, enabling this settingmight prevent Outlook desktop alerts. Microsoft3014833]
  • Remove Help menu from Start Menu = enabled [Windows 7 / 2008 R2 only]
  • Remove links and access to Windows Update = enabled
  • Remove Network icon from Start Menu = enabled[Windows 7 / 2008 R2 only]
  • Remove Run menu from Start Menu = enabled [not recommended]
  • Remove the Action Center icon = enabled [not in Windows 10]
  • Remove the networking icon = enabled
  • Remove the People Bar from the taskbar = enabled [Windows 10 1703 and later]
  • Remove the Security and Maintenance icon = enabled [Windows 10]
  • Remove user folder link from Start Menu = enabled [Windows 7 / 2008 R2 only]

If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method.

Removing the Run menu prevents users from entering UNC paths or drive letters in Internet Explorer.

Start Menu pinned tiles

• Configure Start Menu pinned tiles as desired
  • Remove Server Manager
  • Remove PowerShell
  • Etc.
• Use Export-StartLayout to save to an .xml file.
• Use Import-StartLayout to import to the Default User profile. All new users [new profiles] will get the customized Start Menu layout.

CTP James Rankin Dynamic Start Menu on Server 2016/2019 and Windows 10 using FSLogix App Masking

CTP James Kindon AppMasking The Windows Start Menu using FSLogix

Kasper Johansen The Windows Server 2019 Start Menu Is Playing Nice:

• Clean up the default Start Menu
• Use AppLocker to prevent access to Windows Security

CTP James Kindon Windows 10 Start Menu: declutter the default:

• To eliminate the Start Menu tiles, remove Store apps, and Edge.
  

CTP James RankinManagement of Start Menu and Tiles on Windows 10 and Server 2016, part #1contains the following:

• LayoutModification.xml in Default User Profile
• Start Screen Layout Group Policy setting
• Partially-locked layout
• FSLogix to apply a custom default layout for different user groups on the same device, and allowing users to customize all of it
  

CTP Eric Haavarstein Customize Windows 10 Start Screen and Optimize for Higher User Densitycontains the following:

• Lock down a section of the Start Menu
• Configure Citrix Profile Management to roam the Start Menu
• Remove Provisioned Apps
• Tune Windows using OS Optimization Tool
• Disable Telemetry services

Microsoft Technet Customize Windows 10 Start with Group Policy.

System GPO Settings

• User Configuration | Policies | Administrative Templates | System
  • Prevent access to registry editing tools = enabled, Disable regedit from running silently = No
  • Prevent access to the command prompt = enabled, Disable command prompt script processing = No

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

Explorer GPO Settings

• User Configuration | Policies | Administrative Templates | Windows Components | File Explorer [Windows 8+] or Windows Explorer [Windows 7]
  • Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
  • Hides the Manage item on the File Explorer context menu = enabled
  • Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you cant use Start Menus search to find programs.
  • Prevent users from adding files to the root of their Users Files folder = enabled
  • Remove Map Network Drive and Disconnect Network Drive = enabled
  • Remove Hardware tab = enabled
  • Remove Security Tab = enabled
  • Turn off caching of thumbnail pictures = enabled

Borders Windows Server 2019 File Explorer does not show borders around File Explorer. To add borders, see Geir Dybbugt Microsoft Server 2019: No window border/allwhite issue

To hide specific drive letters:

1. User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive
2. Choose Action Update => Drive Letter Existing C => Hide this drive
3. Common Tab: Run in logged-on userss Security

CTP Dave Brett Secure Local Drive Access On Your EUC Endpoints explains how to block C: drive access from Chrome.

Windows Update GPO Settings

• User Configuration | Policies | Administrative Templates | Windows Components | Windows Update
  • Remove access to use all Windows Update features = enabled, 0 Do not show any notifications

File Explorer

HideFavorites, Libraries, Network and redirected local drives

Winhelponline Removing Quick access from Windows 10 File Explorer details the following registry value to remove Quick Access from File Explorer in Windows 10, or Windows Server 2016 and newer. [h/t Sean Bolding]

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
  • DWORD value HubMode = 1

Terence LukHide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published RemoteApp applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided byDavid Wilkinson atRemove Quick Access from File Explorer in Windows Server 2016.

Explorer Notifications

From TenForumsHow to Hide or Show Sync Provider Notifications within File Explorer in Windows 10: Windows 10 1607 adds notifications inside File Explorer.

To stop these, use Group Policy Preferences to set the following registry value:

• Key =HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Value =ShowSyncProviderNotifications [DWORD] = 0

WindowsSpotlight

Windows 10 1703 and newer shows suggestions, tips and ads on various parts of Windows [Start Menu, lock screen, Action Center, Explorer, etc.]. These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard HayWindows 10 Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating SystemandChris Hoffman How to Disable All of Windows 10s Built-in Advertising.

Explorer Replacement

Instead of locking down Windows File Explorer, you can run a 3rd party Explorer likeTablacus Explorer. The tool is detailed by Marco Hofmann atTablacus Explorer is an awesome replacement for explorer.exe as a #XenApp published Application!.

Flickering Icons

If you published a desktop on Windows Server 2016, and if you redirected the Desktop folder to a network share, then desktop icons might flicker. Helge Turk atXenApp 7.12/13, Server 2016 desktop icons flickering at Citrix Discussions resolved it becreatingthe following Registry Keyusing Group Policy Preferences:

• HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}

Chrome

Use Chrome Group Policy to push the Chrome plug-in for Citrixs Browser Content Redirection feature in Citrix Virtual Apps and Desktops [CVAD] 1808 and newer.

Chrome 77+ Audio Issue

No Audio on Google Chrome version 77.x and newer inside ICA session.

Newer Google Chrome ADMX templates let you disable the audio sandbox. User Configuration | Policies | Administrative Templates | Google | Google Chrome | Allow the audio sandbox to run = Disabled.

Another workaround is to use Group Policy Preferences to deploy the following registry value: [source = CTX261992 Citrix Virtual Apps and Desktops: No Audio on Google Chrome version 77.x inside ICA session]

If the new Chrome-based Microsoft Edge consumes 100% CPU, then CTP James Kindon Deploying Brave and Microsoft Edge Dev Browsers in Citrix CVAD environments says a similar registry value is needed for the new Edge.

• Key = HKLM\SYSTEM\CurrentControlSet\services\CtxUvi
  • Value [String] = UviProcessExcludes = chrome.exe;msedge.exe;

GPO ADMX Templates

1. Download the Google Chrome ADMX templates fromSet Chrome Browser policies on managed PCs.
   
2. Extract the .zip file.
3. Go to the extracted files. In the\policy_templates\windows\admx folder, copy thechrome.admx andgoogle.admx files.
   
4. Go to PolicyDefinitions in your SYSVOL [e.g.\\domain.com\sysvol\domain.com\Policies\PolicyDefinitions] and paste the .admx files.
   
5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy theen-US folder.
   
6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.
   

Roam Chrome Settings

You can optionally enable Chromes roaming profile support. For details, seeUse Chrome Browser with Roaming User Profiles at Google Help.

1. Edit theCitrix All Users GPO.
2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome.
3. On the right, double-clickEnable the creation of roaming copies for Google Chrome profile data and Enable it.
   

Browser Content Redirection Extension

To force install the Chrome Extension needed for Browser Content Redirection in Citrix Virtual Apps and Desktops [CVAD] 1808 and newer:

1. Edit theCitrix All Users GPO.
2. Go to User Configuration | Policies | Administrative Templates | Google | Google Chrome | Extensions.
3. On the right, double-clickConfigure the list of force-installed apps and extensions.
   
4. Enable the setting and click Show.
   
5. In the box, enter the following text and click OK.hdppkjifljbdpckfajcmlblbchhledln; //clients2.google.com/service/update2/crx

6. When a user opens Chrome from inside a VDA, the Citrix Browser Content Redirection Extension is automatically installed.
   
7. Configure the Citrix Policy settings detailed at Browser Content Redirection.
8. Redirection of websites from Chrome requires Workspace app 1809 or newer on the client device.
   
9. When you visit a whitelisted [ACL] website, on the client side, you should seeHdxBrowserCef.exe processes. These processes come from Workspace app, and does not use Chrome on the client side.
   

Internet Explorer / Edge Settings

This sectionassumes the GPOs have already been created.

Internet Explorer First Run Wizard

When a new user launches Internet Explorer, the first run wizard appears.

To prevent this from occurring, edit the Citrix VDA All Users GPO.

Internet Explorer First Run GPO Settings

• User Config | Policies | Administrative Templates | Windows Components | Internet Explorer
  • Prevent managing SmartScreen Filter = enabled, on
  • Prevent running First Run Wizard = enabled, Go directly to home page
  • Specify default behavior for a new tab page = enabled, Home page
  • Turn on Suggested Sites = disabled
• User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Compatibility View
  • Include updated Web site lists from Microsoft = enabled
• User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page
  • Turn on Enhanced Protected Mode = disabled

Enhanced Protected Mode might disable Internet Explorer add-ons. Read the text to determine if it should be disabled.

Users might see a message that Protected mode is turned off for the Local intranet zone.

To prevent this message, do the following:

1. Edit the Citrix VDA All UsersGPO.
2. Go to User Configuration > Preferences > Windows Settings > Registry.
3. Create a new Registry Item.
4. Set the Hive to: HKEY_CURRENT_USER
5. Set the Key Path to: Software\Microsoft\Internet Explorer\Main
6. Set the Value name to: NoProtectedModeBanner
7. Set the Value type to: REG_DWORD
8. Set the Value data to: 1
9. Click OK.
   

IE 11 in Windows 10 1703 and newer has a new button to open Edge.

• To hide this button, edita Group Policy that applies to users, go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Settings | Advanced Settings | Browsing, and enable the settingHide the button [next to the New Tab button] that opens Microsoft Edge. Source =René Bigler on Twitter.
  

4SysOpsDisable Welcome to Microsoft Edge page and default browser prompt in Windows 10 1607: registry keys and PowerShell script to disable it.

Published Internet Explorer Settings Runonce

If a user launches Internet Explorer as a published application, then Internet Explorermight not be fully configured and thus some websites wont work. By default, Windows runs per-user configuration [ActiveSetup] of Internet Explorer only when the user connects to a full desktop, which doesnt happen when only launching published apps. To override this behavior so it works with published IE evenif the user never connects to a full desktop, do the following:

1. Edit the Citrix VDA All Users GPO.
2. Go to User Configuration > Policies > Windows Settings > Scripts [Logon/Logoff].
3. Double-click Logon.
   
4. Click Add.
   
5. In the Script Name field, enter runonce.exe.
6. In the Script Parameters field, enter /AlternateShellStartup. Click OK.
   
7. Note: running runonce.exe /AlternateShellStartupmight cause black borders around windows in published applications.
   • Black Border [IE 11] in Xen App 7.11 with runonce.exe is an example forum thread at Citrix Discussions.
   • To prevent the black borders problem for new profiles, deleteHKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} from the VDAs. Source =CTX227295Black Active Border Around Published Application for Profiles Created Using Runonce.exe /AlternateShellStartup.
   • A workaround detailed at Black Windows title bars at Citrix Discussions is to exportHKCU\Control Panel\Colors from a working session, and use Group Policy Preferences to deliver to values to the black border sessions.
     
8. Runonce.exe /AlternateShellStartup also causes the items in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to be executed when a published app is launched. Consider deleting the items [e.g. VMware Tools icon], or they might keep sessions open after users close their apps. Also seeCTX891671Graceful Logoff from a Published Application Renders the Session in Active State.
   
9. An alternative to runonce.exe /AlternateShellStartup is to run the following commands provided bySteve Washburn atActive Receiver connection after app is closed at Citrix Discussions.@echo off "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser start "" "C:\Program Files [x86]\Internet Explorer\iexplore.exe" exit

Windows 8.1/2012 R2 might not run the script at logon. Configure the following GPO computer settings to enable the script [configure these in the Citrix VDA Computer Settings GPO]:

Logon ScriptGPO Settings

• Computer Configuration | Policies | Administrative Templates | System | Group Policy
  • Configure Group Policy Caching = disabled. Windows 8.1/2012 R2 setting
  • Configure Logon Script Delay = enabled, 0 minutes. Windows 8.1/2012 R2 setting.
  • Configure User Group Policy loopback processing mode = Enabled, either Merge or Replace depending on the desired result

Internet Explorer Group Policy Preferences

The Internet Explorer Maintenance settings in group policy [User Configuration > Windows Settings > Internet Explorer Maintenance] have been removed in Internet Explorer 10 and Windows Server 2012.

If you run group policy editor on Windows Server 2008 R2 and try to add an Internet Settings object using Group Policy Preferences, notice there is no option to configure Internet Settings for Internet Explorer 9 or Internet Explorer 10.

If you use group policy editor in Windows 8 or Windows 2012, then Internet Explorer 10 is an option.

If you have access to Windows 8/2012, you can add an Internet Settings object for Internet Explorer 10. When configuring a setting, notice the red or green lines [and red or green circles]. Only green settings are applied. To change a setting to green, press F6 on your keyboard. To disable a setting, press F7 on your keyboard.

As you look through the tabs, youll see a bunch of green items. These green items will be applied and might not be the behavior you expect. To disable all settings on a particular tab, press F8. To turn them back on, press F5.

On the Common tab you can check the box to Apply once and do not reapply.

Internet Explorer Security Zone Configuration

There is a group policy setting at User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page | Site to Zone Assignment List that can be used to put Internet sites in Internet Explorer security zones. However, users cannot add their own sites [the user interface in Internet Explorer is grayed out].

This section details an alternative procedure for administrator-configured zones while allowing users to add their own Trusted Sites.

Note: Zones cant be configured using a Group Policy Preferences Internet Settings object so instead youll need to configure registry keys as detailed below.

1. Run Internet Explorer and configure security zones as desired.
2. If you are using Workspace Control in Receiver for Web or need pass-through authentication, make sure you add StoreFront as a Local Intranet Site.
   
3. Run Group Policy Management Console on the same machine where you have security zones configured.
4. Edit the Citrix VDA All UsersGPO.
   
5. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Collection Item. Name it IE Zones or similar.
   
6. Right-click the collection and click New > Registry Item.
   
7. Click the button next to Key Path.
   
8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Click the key corresponding to the FQDN youre adding. Then select the registry value on the bottom that corresponds to the protocol [e.g. * or https]. Click Select. Note: 1 indicates Local Intranet zone.
   
9. Then click OK. Note: 1 indicates Local Intranet zone.
   
10. Feel free to rename the Registry Item to reflect the actual zone.
    
11. Repeat these steps for additional zones.

Internet Explorer Home Page

If you dont have access to Windows 8/2012 group policy editor, configure the default home page using a registry key.

1. Run Internet Explorer and configure home page as desired.
   
2. Run Group Policy Management Console on the same machine where you have the home page configured.
3. Edit the Citrix VDA All Users GPO.
   
4. Go to User Configuration > Preferences > Windows Settings > Registry and create a new Registry Item.
   
5. Click the button next to Key Path.
   
6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. On the bottom, select Start Page. Then click Select.
   
7. On the Common tab, you can select Apply once and do not reapply. Then click OK.
   

Proxy Settings

If you dont have access to Windows 8/2012 group policy editor, configure Proxy Settings using registry keys. Proxy Settings are stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Use Group Policy Preferences or similar to distribute the registry keys.

To prevent users from changing proxy settings, also configure the following group policy setting.

• User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
  • Disable the Connections page = enabled

Internet Explorer Performance

Julian Mooren at XenApp & Internet Explorer Improving User Experience details how to enable Tracking Protection in Internet Explorer to reduce XenApp CPU. The procedure uses Group Policy Preferences to set registry keys, and adds a folder to Citrix Profile Management synchronization.

LoginVSI Web Browsing & Advertising Impact on VDI Performanceis a 33 page paper detailing how to enable Tracking Protection in Internet Explorer and Firefox, plus ad blocking plugin for Chrome.

Microsoft 365 Apps / Office 365 / Office 2021 / Office 2019 / Office 2016

Microsoft 365 Apps [aka Office 365] Planning

Microsoft 365 Apps ProPlus is supported on Windows Server 2019.

Microsoft FSLogix can roam Office cache files [e.g. Outlook .ost file] and Search Index. FSLogix is free for most customers.

CTP Marius SandbuGuide to Deploying Office 365 in RDSH and VDI Enviromentcontains:

• Common best-practices and guidelines
• Identity Federation and sync
• Licensing and Roaming
• Deployment and managing updates
• Vendors and Office 365 Optimization
• Skype for Business
• Teams
• Outlook
• OneDrive
• Group Policy
• Troubleshooting and general tips for tuning
• Remote display protocols and when to use when.
• Server 2019 and Office 365
• Office 2019 / Office 365 ProPlus

Citrix Implementation Guide Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x contains:

• Considerations for Outlook Cached Mode
• Group Policy settings for Outlook Cached Mode
• For Lync Audio/Video various options for delivering the Lync client
• Caveats for OneDrive for Business
• Licensing shared computer activation

VMwareBest Practices for Delivering Microsoft Office 365 in VMware Horizon 7contains:

• Requirements for Using Nonpersistent VDI and RDS with Office 365 ProPlus
• Using the Office 2016 Deployment Tool to download and install Office
• Enabling Shared Computer Activation on Nonpersistent VDI and RDS
• Considerations for Deploying Office 365 ProPlus to a Horizon Environment OneDrive, Outlook
• Office Group Policy Settings

Office 2021 / 2019

Office 2021 and Office 2019 are Perpetual version of Office, which means no new features until the next Office LTSC is released.

• By contrast, Microsoft 365 Apps ProPlus receives new features periodically [every few weeks].

Office 2021 and Office 2019 require volume licenses. See Microsoft Office 2019 Volume License Pack for KMS server or Active Directory activation.

There is no MSI installer for Office 2021 or Office 2019. Instead, you use Office Deployment Tool to download and install the Click-to-run version of Office 2021/2019 Volume License. See Deploy Office LTSC 2021 or Deploy Office 2019 [for IT Pros].

The Office 2021/2019 icons/shortcuts do not say 2021 or 2019 on the end. Theres no year designation.

File > Account shows the version info. As does Apps and Features.

Office Group Policy Templates

Download the Microsoft 365 Apps / Office LTSC 2021 / Office 2019 / Office 2016 group policy templates. The same templates are used for all Office versions 2016 and newer.

Microsoft renamed Office 365 to Microsoft 365 Apps.

Choose the bitness that you installed. The default for Microsoft 365 Apps is x64.

Microsoft 365 Apps, Office 365, Office 2021, Office 2019, Office 2016

1. Go to the downloaded Microsoft 365 Apps / Office 365 / Office 2021 / Office 2019 / Office 2016 group policy templates and runadmintemplates_x64_5077-1000_en-us.exe.
   Note: Office 2016, Office 2019, Office 2021, and Office 365 use the same group policy templates.

2. Check the box next to Click here to accept and click Continue.
   
3. Specify a folder to place the extracted templates in.
   
4. Click OK to acknowledge that files extracted successfully.
   
5. Go to the folder where you extracted the files, and open the ADMX folder.
   
6. Copy all .admx files, and the en-us folder, to the clipboard.
   
7. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions and paste the files.
   
   • If you do not have PolicyDefinitions in your Sysvol, then instead go to C:\Windows\PolicyDefinitions and paste the files.
     

Group Policy and Tweaks

This sectionassumes the Group Policy Objectshave already been created.

For Teams, edit the Citrix VDA Computer Settings GPO and enable the Group Policy settings shown below.

Prevent the per-user version of Teams from installing with Office 365 [aka Microsoft 365 apps]. Configure this GPO setting before installing Office. Then you can later install the machine-wide version of Teams. More details at Microsoft Docs.

• Updates Computer Configuration | Policies | Administrative Templates | Microsoft Office 2016 [Machine] | Updates
  • Dont install Microsoft Teams with new installations or updates of Office = enabled
    
  • Update Channel for Microsoft 365 Apps [aka Office 365] only
    

Edit the Citrix VDA All Users GPO and enable the Group Policy settings shown below. All are located under User Configuration > Policies.

Office 2013 group policy settings are different than the group policy settings for Office 2016, Office 2019, Office 365, and Microsoft 365 Apps. If you want to copy Office 2013 settings to Office 365 / 2019 / 2016 settings, see Microsofts Copy-OfficeGPOSettingsPowerShellscript.

Microsoft 365 Apps, Office 365, Office 2019, and Office 2016 are all version 16.0, thus the same GPO settings work for all of these versions. In Group Policy Editor, the GPO settings are under the Office 2016 folders.

• Disable Office Telemetry
  • Key = HKCU\Software\Microsoft\Office\Common\ClientTelemetry
    • Value [DWORD] DisableTelemetry = 0xffffffff
• User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | First Run
  • Disable First Run Movie = enabled
  • Disable Office First Run on application boot = enabled
• User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Global Options |Customize
  • Allow roaming of all user customizations = enabled
• User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Miscellaneous
  • Block signing into office = enabled, Org ID only Source = Microsoft Answers
  • Disable Office Animations = enabled
  • Do not use hardware graphics acceleration = enabled [if no GPU]
  • Hide file locations when opening or saving files = enabled, Hide OneDrive Personal
  • Suppress recommended settings dialog = enabled
• User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Privacy | Trust Center
  • Automatically receive small updates to improve reliability = disabled
  • Disable Opt-in Wizard on first run = enabled
  • Enable Customer Experience Improvement Program = disabled
• User Configuration | Policies | Administrative Templates | Microsoft Office 2016 | Tools | Options | General | Service Options | Online Content
  • Online Content Options = enabled,Allow Office to connect to the Internet
• User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange
  • Automatically configure profile based on Active Directory Primary SMTP address = enabled
• User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Account Settings | Exchange | Cached Exchange Mode
  • Use Cached Exchange Mode for new and existing Outlook profiles = disabled
  • If you prefer to use Cached Exchange Mode, set the above setting to enabled, and add below:Source =Citrixs Office 365 Implementation Guide
    • Cached Exchange Mode Sync Settings = enabled, time-window of downloaded content
    • Install FSLogix to assist with roaming of the OST file.
• User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Miscellaneous | PST Settings
  • Default location for PST files = enabled, users home directory
• User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Outlook Options | Other | AutoArchive
  • AutoArchive Settings = enabled, uncheck box next to Turn on AutoArchive
• User Configuration | Policies | Administrative Templates | Microsoft Outlook 2016 | Outlook Options | Preferences | Search Options
  • Prevent installation prompts when Windows Desktop Search component is not present = enabled
• Computer Config | Policies | Administrative Templates | Windows Components | Search |
  • Prevent indexing Microsoft Office Outlook = enabled [see below]

Office Click-to-Run Accept EULA Window

To get rid of the Accept Office License Agreement button/window

Use Group Policy Preferences to set the following registry values:

• HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Registration
  • AcceptAllEulas [DWORD] = 1
• HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Registration
  • AcceptAllEulas [DWORD] = 1

Office temp file errors

To prevent Office tempfile errors:

• User Configuration | Preferences | Window Settings | Folders |New Folder
  • Action = Create
  • Path =%Localappdata%\Microsoft\Windows\INetCache
    

Outlook and Windows Search

When launching Outlook, you might see the message Please wait while Windows configures Microsoft Office 64-bit Components.

To fix the Outlook search problem, you can either installWindows Search Service [Windows Feature].

Or enable the GPO setting: Computer Config | Policies | Administrative Templates | Windows Components | Search | Prevent indexing Microsoft Office Outlook.

Office VL Activation not working

If Office 2016+ Volume License is not activating correctly, set the following registry value as detailed at Microsoft Office cant find your license for this application at Citrix Discussions:

• Key =HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CtxUvi
  • Value =UviProcessExcludes [REG_SZ] = sppsvc.exe

Adobe Reader

Adobe Reader Group Policy

1. Download the Adobe Reader XI Policy Templates from Reader XI Administrative Template
2. Copy the .admx file and the en-us folder.
   
3. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files. If this folder doesnt exist, go to C:\Windows\PolicyDefinitions instead.
   
4. Click Yes when asked to replace files.
5. Now open a group policy that applies to all Citrix users.
6. Go to User Configuration > Administrative Templates > Adobe Reader > Preferences > General.
7. Open the setting Accept EULA and Enable it.
   
8. Then open the Display splash screen at launch setting and Disable it.
   

Disable Repair

In Adobe Reader, users can open the Help menu and click Repair Adobe Reader Installation.

Then users are prompted to reboot. Obviously this is not good. Even non-admins can reboot.

1. In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer.
2. Add the DWORD DisableMaintenance and set it to 1.
   
3. Now the Repair option is grayed out on the Help menu.
   
   
   

Disable Updates

For Acrobat Reader DC, you must edit the registry to disable Updates. This also works for Adobe Reader XI.

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\Legacy\Reader\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
  • Mode = 0 [disables updates]

In Adobe Reader XI, there is a GUI method of disabling updates:

1. Run Adobe Reader from the Start Menu.
2. Open the Edit menu and click Preferences.
   
3. On the Updater page, change the selection to Do not download or install updates automatically and click OK.
   

Other Optimizations

Rick van Soest Removing The Cloud from Adobe Acrobat Reader DC:

• To remove tools, delete them from C:\Program Files [x86]\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU
• To remove the welcome screen, add the following registry dword value: HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
  • bUsageMeasurement [REG_DWORD] = 0
• To remove the add account button, HKLM\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint
  • BDisableSharePointFeatures [REG_WORD] = 1
• To remove the Check for update button, HKLM\Software\Adobe\Acrobat Reader\DC\Installer
  • DisableMaintenance [REG_DWORD] = 1

Adobe.com Citrix Deployments: Before deployment, the product should be configured as needed. In particular, you will want to disable features and behaviors that should not be accessible to end users in an IT-managed environment. For example:

• The Updater should be disabled as described in this guide and thePreference Reference.
• Accept the EULA on behalf of all users by setting the appropriate registry key.
• For multilanguage installations [MUI], set the preferred language for all users via the SUPPRESSLANGSELECTION property or registry settings described in thePreference Reference.
• Deploy enterprise files to the products directories [rather than per-user directories] so they are available to all users.
• There are over 500 documented settings. Refer to thePreference Referencefor complete registry and plist details.

Scrolling performance

If scrolling performance is poor in graphic intensive documents, try the following:

• Go toEdit > Preferences > Rendering.
• UncheckSmooth lineart andSmooth images. Alternatively, you can set these preferences during pre-deployment configuration:
  • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasGraphics: 0x00000000
  • HKCU\Software\Adobe\Adobe Acrobat\10.0\Originals\bAntialiasImages: 0x00000000

Distiller performance

• In some environments, Distiller performance may suffer if the messages.log file becomes too large after a number of Distiller operations. Delete this file periodically. It is located at \ApplicationData\Adobe\Acrobat\Distiller\messages.log.
• Remove unused fonts from the Windows installation.

Citrix Files

Citrix Files allows you to access your files in ShareFile directly through a mapped drive providing a native Windows Explorer experience. Citrix FIles replaces ShareFile Drive Mapper.

Citrix Files instructions:

• Citrix Files Deployment Guide with Citrix Virtual Apps and Desktops Service at Citrix Docs
• Citrix CTX228273 Install and Use Citrix Files for Windows.

To install Citrix Files:

1. If Citrix ShareFile Drive Mapper is installed, uninstall it. Also seeCTX238202Upgrading from ShareFile Drive Mapper to Citrix Files for Windows.
   
2. In VDA 1808 and newer, Citrix Files is bundled with the VDA installer.
3. Or, download Citrix Files. The downloaded version might be newer than the version included with the VDA installer.
   
4. On a VDA, run CitrixFilesForWindows-v.exe.
   
5. Check the box next to I agree to the license terms, and clickInstall.
   
6. In theSetup Successful page, clickClose.
   

Session Lingering:

• Citrix recommends editing your Delivery Group and enabling Application Lingering for a couple minutes so Citrix Files has time to upload files.
  

To configure Citrix Files:

1. Go to C:\Program Files\Citrix\Citrix Files\PolicyDefinitions, and copy the file and folder.
   
2. Go to \\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions and paste the files and folder. If this path doesnt exist, then paste the files in C:\Windows\PolicyDefinitionson your Group Policy editing machines instead.
   
3. Edit a GPO that applies to all users.
   
   1. Go to User Configuration > Policies > Administrative Templates > Citrix Files.
   2. Citrix Files is enabled by default. If you only want some users to use Citrix Files, then you can configure a GPO to disable Citrix Files, and then configure a different GPO that re-enables it. The GPO that enables Citrix Files would be targeted to an AD group, and the GPO would be higher priority than the GPO that disables it. The setting to disable and enable Citrix Files is calledEnable Application.
      
   3. Edit the Account setting.
      
   4. Enable the setting, and enter your ShareFile URL. Click OK.
      
   5. The Mount Point settings let you map different parts of Citrix Files to different drive letters.
      
4. Edit a GPO that applies to the computers that have Citrix Files installed.
   
   1. Go to Computer Configuration > Policies > Administrative Templates > Citrix Files.
   2. The default Cache Location is AppData\Local\Citrix\Citrix Files\PartCache.
      
   3. Default Cache Size is 256 MB.
      
   4. Delete Cache on Exit is not needed on non-persistent machines, and not needed if the roaming profile cache is deleted on logoff. Make sure the Citrix Files cache is excluded from roaming profiles as detailed later.
      
   5. Auto Check-out of Office files can be enabled here.
      
   6. Auto-Update does not apply to Remote Desktop Session Host, so youll have to update those machines manually.
      
   7. Offline Access is enabled [allowed] by default.
   8. Personal Cloud Connectors [e.g. OneDrive] and On-Premises Connectors can be enabled from here.
      
5. Edit your Citrix Profile Management GPO.
   1. Go to Computer Configuration > Policies > Administrative Templates > Citrix > Profile Management > File system.
   2. Edit the setting Exclusion list directories.
      
   3. Add AppData\Local\Citrix\Citrix Files\ to the list.
      
6. If you have on-premises StorageZones Controllers, you can enable Single Sign-on by enabling Windows Authentication. On the StorageZones Controllers, run IIS Manager.
   
   1. Navigate to Default Web Site > cifs.
   2. In the middle, double-click Authentication.
      
   3. Right-click Windows Authentication and Enable it. If you dont see Windows Authentication in your list, you might have to install it using theRoles and Features wizard.
      
7. After logging into Citrix and logging into Citrix Files, when you launch File Explorer, youll seeCitrix Files on the left.
   
8. If the Login Window doesnt appear, the look for the icon in the system tray.
   

File Type Association

For the official Microsoft method of handling file type associations in Windows 10 and Windows Server 2016, seeWindows 10 How to configure file associations for IT Pros? at TechNet Blogs. This article details DISM, XML, and Group Policy.

Christoph Kolbicz at SetUserFTA: UserChoice Hash defeated Set File Type Associations per User or Group on Windows 10 and 2016 developed a tool to set specific File Type Associations. No DISM or XML needed.

Also see the following:

• James Rankin Deploying per-user file type associations [FTAs] on Server 2012 R2, Windows 8.1, Server 2016 and Windows 10 [reloaded again!]provides an overview of the challenges of administratively configuring FTAs on modern versions of Windows.
• James Rankin Deploying per-user file type associations in Windows 8.1 / Server 2012 R2 and beyond: Microsofts new DISM method of changing File Type Associations is done at the machine-level. Use Group Policy Preferences to change the machine registry key but on a per-user basis.

Next Steps

• Citrix Policy Settings
• Citrix Profile Management
• Back to XenApp/XenDesktop